Merge branch '8-142-implement_ca_cert' into 'ci'

Resolve "142-Implement_CA_cert" See merge request !14

Merge branch '8-142-implement_ca_cert' into 'ci'
Resolve "142-Implement_CA_cert" See merge request !14
118781a2 · Alexey Kuklin · b7425551 · 0921e31b · 118781a2 · 118781a2
Commit 118781a2 authored 6 years ago by Alexey Kuklin
--- a/Gopkg.toml
+++ b/Gopkg.toml
 [[constraint]]
-  branch = "master"
+  branch = "142-Implement_CA_cert"
  name = "code.vereign.com/code/viam-apis"

-[[constraint]]
-  branch = "master"
-  name = "code.vereign.com/code/data-storage-agent"
-
 [[constraint]]
  name = "github.com/golang/protobuf"
  version = "1.1.0"

--- a/config.yaml.sample
+++ b/config.yaml.sample
-dataStorageClientUrl: localhost:7777
-grpcClientUrl: localhost:7877
-restClientUrl: localhost:7878
+# Make sure you have a "config.yaml" file on the root folder of this repo

-# Certificate Related Config
+# You can use this sample YAML file to configure your installation
+
+# Connection Information
+dataStorageUrl: localhost:7777
+grpcListenAddress: localhost:7877
+restListenAddress: localhost:7878
+
+# Choose a certificate method for providing PEM strings
+# 1 = Read from file (*.crt and *.key files)
+# 2 = Read from Vault server (this will require additional config information for Vault)
+certificateMethod: 1
+
+# Read Certificates From Folder and Files
 certDir: cert
 certFile: server.crt
 certKey: server.key
 vereignCertFile: vereign_ca.cer
-vereignCertKey: vereign_ca.key
\ No newline at end of file
+vereignCertKey: vereign_ca.key
+caCertFile: ca.crt
+
+# Read Certificates From Vault Server
+vaultAddress: http://10.6.10.119:8200
+vaultToken: 00000000-0000-0000-0000-000000000000
+vaultPath: /developers/data/devteam/cert
+certificateKey: certificateKey
+privateKey: privateKey
+caCertificateKey: caCertificateKey
--- a/handler/generate_keypair.go
+++ b/handler/generate_keypair.go
@@ -39,7 +39,7 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context,
 	auth := s.CreateAuthentication(ctx)

 	client := &client.DataStorageClientImpl{}
-	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath)
+	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath)
 	defer client.CloseClient()

 	generateKeyPairResponse := &api.GenerateKeyPairResponse{}

--- a/handler/handler.go
+++ b/handler/handler.go
@@ -36,6 +36,8 @@ import (
 type KeyStorageServerImpl struct {
 	DataStorageUrl            string
 	CertFilePath              string
+	KeyFilePath 			  string
+	CaCertFilePath			  string
 	VereignCertFilePath       string
 	VereignPrivateKeyFilePath string
 }
@@ -60,7 +62,7 @@ func (s *KeyStorageServerImpl) GetKey(ctx context.Context, in *api.GetKeyRequest
 	auth := s.CreateAuthentication(ctx)

 	client := &client.DataStorageClientImpl{}
-	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath)
+	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath)
 	defer client.CloseClient()

 	getKeyResponse := &api.GetKeyResponse{}
@@ -107,7 +109,7 @@ func (s *KeyStorageServerImpl) SetKey(ctx context.Context, in *api.SetKeyRequest
 	auth := s.CreateAuthentication(ctx)

 	client := &client.DataStorageClientImpl{}
-	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath)
+	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath)
 	defer client.CloseClient()

 	setKeyResponse := &api.SetKeyResponse{}
@@ -155,7 +157,7 @@ func (s *KeyStorageServerImpl) ReserveKeyUUID(ctx context.Context, in *api.Reser
 	auth := s.CreateAuthentication(ctx)

 	client := &client.DataStorageClientImpl{}
-	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath)
+	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath)
 	defer client.CloseClient()

 	reserveKeyUUIDResponse := &api.ReserveKeyUUIDResponse{}

--- a/handler/revoke.go
+++ b/handler/revoke.go
@@ -29,7 +29,7 @@ func (s *KeyStorageServerImpl) Revoke(ctx context.Context, in *api.RevokeRequest
 	auth := s.CreateAuthentication(ctx)

 	client := &client.DataStorageClientImpl{}
-	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath)
+	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath)
 	defer client.CloseClient()

 	revokeResponse := &api.RevokeResponse{}

--- a/main.go
+++ b/main.go
@@ -35,18 +35,19 @@ func main() {
 		return
 	}

-	grpcAddress := viper.GetString("grpcClientUrl")
-	restAddress := viper.GetString("restClientUrl")
-	dataStorageAddress := viper.GetString("dataStorageClientUrl")
+	grpcAddress := viper.GetString("grpcListenAddress")
+	restAddress := viper.GetString("restListenAddress")
+	dataStorageAddress := viper.GetString("dataStorageUrl")

 	certFilePath := certDir + "/" + viper.GetString("certFile")
 	privateKeyFilePath := certDir + "/" + viper.GetString("certKey")
+	caCertFilePath := certDir + "/" + viper.GetString("caCertFile")
 	vereignCertFilePath := certDir + "/" + viper.GetString("vereignCertFile")
 	vereignPrivateKeyFilePath := certDir + "/" + viper.GetString("vereignCertKey")

 	// fire the gRPC server in a goroutine
 	go func() {
-		err := server.StartGRPCServer(grpcAddress, certFilePath, privateKeyFilePath, vereignCertFilePath,
+		err := server.StartGRPCServer(grpcAddress, certFilePath, privateKeyFilePath, caCertFilePath, vereignCertFilePath,
 			vereignPrivateKeyFilePath, dataStorageAddress)
 		if err != nil {
 			log.Fatalf("failed to start gRPC server: %s", err)

--- a/server/configs.go
+++ b/server/configs.go
@@ -9,14 +9,15 @@ func SetConfigValues() {
 	// Set Default Values For Config Variables

 	// Vereign API Related
-	viper.SetDefault("grpcClientUrl", "localhost:7877")
-	viper.SetDefault("restClientUrl", "localhost:7878")
-	viper.SetDefault("dataStorageClientUrl", "localhost:7777")
+	viper.SetDefault("grpcListenAddress", "localhost:7877")
+	viper.SetDefault("restListenAddress", "localhost:7878")
+	viper.SetDefault("dataStorageUrl", "localhost:7777")
 	
 	// Certificates Related
 	viper.SetDefault("certDir", "cert")
 	viper.SetDefault("certFile", "server.crt")
 	viper.SetDefault("certKey", "server.key")
+	viper.SetDefault("caCertFile", "ca.crt")
 	viper.SetDefault("vereignCertFile", "vereign_ca.cer")
 	viper.SetDefault("vereignCertKey", "vereign_ca.key")


--- a/server/server.go
+++ b/server/server.go
@@ -47,6 +47,8 @@ const (
 )

 var pkgCertFile string
+var pkgKeyFile string
+var pkgCaCertFile string

 func credMatcher(headerName string) (mdName string, ok bool) {
 	if headerName == "Session" {
@@ -70,7 +72,7 @@ func authenticateClient(ctx context.Context, s *handler.KeyStorageServerImpl, in
 		}

 		sessionClient := &client.DataStorageClientImpl{}
-		sessionClient.SetUpClient(viamAuth, viper.GetString("dataStorageClientUrl"), pkgCertFile)
+		sessionClient.SetUpClient(viamAuth, viper.GetString("dataStorageUrl"), pkgCertFile, pkgKeyFile, pkgCaCertFile)
 		defer sessionClient.CloseClient()

 		if clientAuth.Uuid == viamAuth.Uuid {
@@ -107,8 +109,10 @@ func unaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServ
 	return handler1(ctx, req)
 }

-func StartGRPCServer(address, certFilePath, privateKeyFilePath, vereignCertFilePath, vereignPrivateKeyFilePath, dataStorageAddress string) error {
+func StartGRPCServer(address, certFilePath, privateKeyFilePath, caCertFilePath, vereignCertFilePath, vereignPrivateKeyFilePath, dataStorageAddress string) error {
 	pkgCertFile = certFilePath
+	pkgKeyFile = privateKeyFilePath
+	pkgCaCertFile = caCertFilePath

 	// create a listener on TCP port
 	lis, err := net.Listen("tcp", address)
@@ -120,6 +124,8 @@ func StartGRPCServer(address, certFilePath, privateKeyFilePath, vereignCertFileP
 	s := handler.KeyStorageServerImpl{
 		DataStorageUrl:            dataStorageAddress,
 		CertFilePath:              certFilePath,
+		KeyFilePath:			   privateKeyFilePath,
+		CaCertFilePath:			   caCertFilePath,
 		VereignCertFilePath:       vereignCertFilePath,
 		VereignPrivateKeyFilePath: vereignPrivateKeyFilePath,
 	}

--- a/server/server_test.go
+++ b/server/server_test.go
-/*
-Copyright (c) 2018 Vereign AG [https://www.vereign.com]
-
-This is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-package server
-
-import (
-	"log"
-	"os"
-	"testing"
-	"time"
-
-	dataStorageServer "code.vereign.com/code/data-storage-agent/server"
-	"code.vereign.com/code/data-storage-agent/utils"
-	"code.vereign.com/code/viam-apis/authentication"
-	ksapi "code.vereign.com/code/viam-apis/key-storage-agent/api"
-	ksclient "code.vereign.com/code/viam-apis/key-storage-agent/client"
-	timestamp "github.com/golang/protobuf/ptypes/timestamp"
-)
-
-const (
-	dataStorageGrpcAddress    = "localhost:7777"
-	keyStorageGrpcAddress     = "localhost:7877"
-	certFilePath              = "../cert/server.crt"
-	privateKeyFilePath        = "../cert/server.key"
-	vereignCertFilePath       = "../cert/vereign_ca.cer"
-	vereignPrivateKeyFilePath = "../cert/vereign_ca.key"
-)
-
-func TestSetAndGetKeys(t *testing.T) {
-	dataStorageClient := utils.CreateClientFromUuidAndSession("viam-system", "viam-session", dataStorageGrpcAddress, certFilePath)
-
-	keyStorageAuth := &authentication.Authentication{
-		Uuid:    "some-uuid",
-		Session: "some-session",
-	}
-
-	_, _, _ = dataStorageClient.RenewSession(keyStorageAuth.Uuid, keyStorageAuth.Session)
-
-	keyStorageClient := &ksclient.KeyStorageClientImpl{}
-	keyStorageClient.SetUpClient(keyStorageAuth, keyStorageGrpcAddress, certFilePath)
-	defer keyStorageClient.CloseClient()
-
-	uuid, statusList, _ := keyStorageClient.DoReserveKeyUUID()
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoReserveKeyUUID, returned error: %s.", status.Code+":"+status.Description)
-		}
-	}
-
-	privateKey := &ksapi.Key{
-		Content: []byte{0, 1, 4},
-	}
-
-	statusList, _ = keyStorageClient.DoSetKey(uuid, ksapi.KeyType_PRIVATE, privateKey)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoSetKey, returned error: %s.", status.Code+":"+status.Description)
-			return
-		}
-	}
-
-	privateKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PRIVATE)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
-			return
-		}
-	}
-	if privateKeyResult.Content == nil || !utils.CompareByteArrays(privateKeyResult.Content, []byte{0, 1, 4}) {
-		t.Errorf("DoGetKey, incorrect keyResult.Content, expected: %v, but was: %v",
-			[]byte{0, 1, 2}, privateKeyResult.Content)
-	}
-
-	// Test setting the same key twice
-	statusList, _ = keyStorageClient.DoSetKey(uuid, ksapi.KeyType_PRIVATE, privateKey)
-	for _, status := range statusList {
-		if status.StatusType != ksapi.StatusType_ERROR {
-			t.Errorf("DoSetKey, expected error, but got success")
-			return
-		}
-	}
-
-	publicKey := &ksapi.Key{
-		Content: []byte{3, 4, 2},
-	}
-
-	statusList, _ = keyStorageClient.DoSetKey(uuid, ksapi.KeyType_PUBLIC, publicKey)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoSetKey, returned error: %s.", status.Code+":"+status.Description)
-		}
-	}
-
-	publicKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PUBLIC)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
-		}
-	}
-	if publicKeyResult.Content == nil || !utils.CompareByteArrays(publicKeyResult.Content, []byte{3, 4, 2}) {
-		t.Errorf("DoGetKey, incorrect publicKeyResult.Content, expected: %v, but was: %v",
-			[]byte{3, 4, 2}, publicKeyResult.Content)
-	}
-
-	statusList, _ = keyStorageClient.DoRevoke(uuid)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoRevoke, returned error: %s.", status.Code+":"+status.Description)
-		}
-	}
-	revokedPrivateKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PRIVATE)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
-		}
-	}
-	if revokedPrivateKeyResult.Revoked == false {
-		t.Errorf("DoRevoke, key was not revoked")
-	}
-	revokedPublicKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PUBLIC)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
-		}
-	}
-	if revokedPublicKeyResult.Revoked == false {
-		t.Errorf("DoRevoke, key was not revoked")
-	}
-}
-func TestGenerateKeyPairAndCertificate(t *testing.T) {
-	dataStorageClient := utils.CreateClientFromUuidAndSession("viam-system", "viam-session", dataStorageGrpcAddress, certFilePath)
-
-	keyStorageAuth := &authentication.Authentication{
-		Uuid:    "some-uuid",
-		Session: "some-session",
-	}
-
-	_, _, _ = dataStorageClient.RenewSession(keyStorageAuth.Uuid, keyStorageAuth.Session)
-
-	keyStorageClient := &ksclient.KeyStorageClientImpl{}
-	keyStorageClient.SetUpClient(keyStorageAuth, keyStorageGrpcAddress, certFilePath)
-	defer keyStorageClient.CloseClient()
-
-	uuid, statusList, _ := keyStorageClient.DoGenerateKeyPair(2048)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoGenerateKeyPair, returned error: %s.", status.Code+":"+status.Description)
-			return
-		}
-	}
-	if uuid == "" {
-		t.Errorf("DoGenerateKeyPair, uuid is empty")
-		return
-	}
-
-	privateKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PRIVATE)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
-			return
-		}
-	}
-	if privateKeyResult.Content == nil {
-		t.Errorf("DoGetKey, privateKeyResult.Content is nil")
-	}
-
-	publicKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PUBLIC)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
-			return
-		}
-	}
-	if publicKeyResult.Content == nil {
-		t.Errorf("DoGetKey, publicKeyResult.Content is nil")
-	}
-
-	nowTime := time.Now()
-	nowTimeSeconds := time.Now().Unix()
-	nowTimeNanoSeconds := int32(nowTime.Sub(time.Unix(nowTimeSeconds, 0)))
-	notBefore := &timestamp.Timestamp{
-		Seconds: nowTimeSeconds,
-		Nanos:   nowTimeNanoSeconds,
-	}
-	timeAfterOneDay := nowTime.Add(1000000 * 3600 * 24)
-	secondsAfterOneDay := time.Now().Unix()
-	nanoSecondsAfterOneDay := int32(timeAfterOneDay.Sub(time.Unix(secondsAfterOneDay, 0)))
-	notAfter := &timestamp.Timestamp{
-		Seconds: secondsAfterOneDay,
-		Nanos:   nanoSecondsAfterOneDay,
-	}
-
-	certificateData := &ksapi.GenerateCertificateRequest_CertificateData{
-		Country:            "BG",
-		Organization:       "company",
-		OrganizationalUnit: "DEV",
-		CommonName:         "CN",
-		NotBefore:          notBefore,
-		NotAfter:           notAfter,
-		Host:               "abcde.com",
-	}
-
-	statusList, _ = keyStorageClient.DoGenerateCertificate(uuid, certificateData)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoGenerateCertificate, returned error: %s.", status.Code+":"+status.Description)
-		}
-	}
-
-	certificate, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_CERTIFICATE)
-	for _, status := range statusList {
-		if status.StatusType == ksapi.StatusType_ERROR {
-			t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
-		}
-	}
-	if certificate == nil || certificate.Content == nil {
-		t.Errorf("DoGetKey, certificate is nil")
-	}
-}
-
-func TestMain(m *testing.M) {
-	// fire the gRPC server in a goroutine
-	go func() {
-		err := dataStorageServer.StartGRPCServer(dataStorageGrpcAddress, certFilePath, privateKeyFilePath)
-		if err != nil {
-			log.Fatalf("failed to start gRPC server: %s", err)
-		}
-	}()
-
-	// wait a second for the server to start
-	time.Sleep(time.Duration(1) * time.Second)
-
-	// fire the gRPC server in a goroutine
-	go func() {
-		err := StartGRPCServer(keyStorageGrpcAddress, certFilePath, privateKeyFilePath,
-			vereignCertFilePath, vereignPrivateKeyFilePath, dataStorageGrpcAddress)
-		if err != nil {
-			log.Fatalf("failed to start gRPC server: %s", err)
-		}
-	}()
-
-	// wait a second for the server to start
-	time.Sleep(time.Duration(1) * time.Second)
-
-	retCode := m.Run()
-	os.Exit(retCode)
-}